Windows server switch opens door to security risk

It's not Y2K or ICD-10, but another deadline looms on healthcare information technology leaders' do-to list; upgrading a computer server operating system or risk a security breach.

The deadline for Microsoft's Windows Server 2003 so-called “end-of-life” is July 14.

The popular, but now 12-year-old software still runs on millions of computers around the world, including thousands in the U.S. healthcare industry.

David Mayer is practice director for Microsoft Solutions at Insight Enterprises. The Tempe, Ariz., company is an independent consultant and supplier of hardware, software and services using Microsoft products.

Mayer said he works with four large healthcare organizations and “each of them has north of 250” servers still running on the Windows Server 2003 operating system.

Though some admittedly use Windows Server 2003 only for back office, administrative applications.

That's the case at 242-bed St. Luke's Cornwall Hospital in Newburgh, N.Y. None of its mission-critical applications are running on Windows Server 2003, said Aaron Kramer, its director of information technology.

Most of the effort in switching from Windows Server 2003 will come in “identifying the handful of applications that are using it and deciding whether we're going to upgrade or go with something else,” Kramer said. The hospital has no hardware-related problems with the switch, he said. But that work is still time-intensive and potentially distracting from other projects, like ICD-10, Kramer said.

Many larger healthcare organizations may also have hardware that can't run on any of the updated server operating systems just as older computers, which were built to use Windows XP, couldn't run on newer Windows operating systems when Microsoft dropped support for XP in 2014. That's rendered millions of desktop and laptop home and office computers obsolete.

Microsoft, Redmond, Wash., for its part, has a countdown clock on its website, which lists a slew of links to places for help and advice on transitioning out of Windows Server 2003.

According to the results of an online survey of 500 information technology managers conducted in February at companies with 500 or more employees in the U.S. and the United Kingdom, about one third plan on running their systems with the aging software after the July 14 deadline.

That means an estimated 2.7 million servers with potentially hundreds of millions of files could be at risk, according to Bit9 + Carbon Black, a Waltham, Mass.,-based data security software and services provider that funded the study.